Security researchers from Rapid7 analyzed Android applications for controlling IoT devices Wink Hub 2 and Insteon Hub. During the research it was revealed that both applications store confidential credentials in configuration files in an unencrypted form.

As a rule, Android-applications do not have access to files of other applications (except for system services with special privileges). However, there are ways that cybercriminals can access data, so Android provides a built-in secure keystore for storing sensitive information. There are various methods for encrypting credentials in the repository, but some developers do not use these mechanisms for some unknown reason.

Data applications can be easily extracted from lost or stolen phones that do not have strong password protection, or do not use encryption. According to researchers from Rapid7, this does not require special skills - only Google and 45 minutes of time.

As the experts found out, the Android application for managing the hub Wink Hub 2 stored in unprotected form OAuth access tokens used by Wink servers to track sessions of authorized users. Tokens allow mobile applications to send commands to the Wink Hub through the company's cloud service. As the researchers noted, even when new tokens were generated, the old ones were still valid.

Thus, even if the user tried to mitigate the risks after the loss of the smartphone by changing the passwords in Wink, the OAuth tokens stored on their devices would remain relevant.

According to the researcher, Wink has already released an update for its application and plans to fix the problem with tokens in the near future.

Another vulnerability was detected in Insteon devices. The company produces various "smart" switches, light bulbs, sockets, sensors, door locks, cameras and other IoT-devices. Gadgets exchange signals in the proprietary RF band at a frequency of 915 MHz. According to the researchers, because of the lack of encryption, intruders in the communication range can intercept this signal, and then reuse it to gain control of the device. During the experiment, security researchers managed to intercept and reproduce the Insteon Garage Door Control Kit signal and open the garage door.

The credentials in the application for managing the Insteon hub were also stored in an unencrypted form, including logins / passwords for user accounts and direct management of the hub device via the local network.

The researchers told the company about the presence of vulnerabilities, but Insteon has not yet taken any action to eliminate them.

Wink is a company that develops software and hardware products that you can connect to and manage your home IoT devices using the user interface.

Insteon is a subsidiary of Smartlabs, which develops a home automation technology that allows light switches, lamps, thermostats, motion detectors and other electrical devices to communicate with each other through power lines, radio frequency or both..